Tag | Active Directory Posts

v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} Normal 0 false false false false EN-GB X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; ...
In the lifespan of an organisation it’s messaging environment be transitioned to a newer version several times. Whilst this is not a complicated thing to do it does require some level of planning and thought. I’ll be addressing the transitioning from Exchange 2003 to 2007 from a fairly simple view here. Since the general outlines of the process are the same for nearly every situation there is no need for different detailed documents on this. We’ll be working with the following infrastructure in this ...
Paul King explains how to use the DirectoryEntry object to manipulate MSMQ properties. Our support website does a pretty good job for telling you how you can modify the MachineQuota setting for MSMQ. Unfortunately, if you need a way to do this programmatically and your installation happens to be in "Domain Mode", then there really isn't enough information here. Fortunately using the DirectoryEntry object makes this a pretty easy task. Short and too the point. Too many people using MSMQ approach it ...
As many of you may already know that, I'm working at a global gaming and entertainment company taking the responsible for design and implement the next generation platform which will be running on the cloud, and also design the cloud platform as well. Currently one of the goal is to replace the active directory integrated security and identity solution with certificate-based solution in our product. In short, we need to work with Active Directory Certificate Service to request and issue the certificates ...
The SQL Azure Federation had been publically launched several weeks ago and this is one of the most existing features I’m looking forward. This might be the first post of SQL Azure Federation, and hopefully not the last one. Some Backgrounds SQL Azure Federation was mentioned in about 2009. The Microsoft told that there will be a feature in SQL Azure allow users to split one database into many based on some sort of rules But from the client side perspective, user can interact their data as if in ...
Consider this article on DNS a prequel to the upcoming ADDS series. After all, any active directory implementation requires DNS integration. So what is DNS? DNS is a highly reliable, hierarchal, distributed and scalable database used for name resolution and service location. So basically it translates friendly names (www.contoso.com) in to IP addresses (11.12.13.14) allowing clients to connect to resources in the infrastructure without memorising pesky IP numbers. History of DNS When the DoD initially ...
Normal 0 false false false EN-GB X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans... mso-ascii-font-family:Calibri; ...
© 2011 By: Dov Trietsch. All rights reserved finding a person in the forest or Limiting the AD result in SharePoint People Picker There are times when we need to limit the SharePoint audience of certain farms or servers or site collections to a particular audience. One of my experiences involved limiting access to US citizens, another to a particular location. Now, most of us – your humble servant included – are not Active Directory experts – but we must be able to handle the “audience restrictions” ...
When you are going to join any computer from domain controller the following error will be appeared on your computer screen. Full Error Message v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} Normal 0 false false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; ...

Very Good introduction video on how Active Directory Federation Services (ADFS) and Windows Azure Access Control Service (ACS) works together for claim base application in cloud

When developing WCF services that interact with a custom Security Token Service (STS), you will need to create at least one X.509 certificate. If you have access to a trusted certificate authority – e.g. a Windows Active Directory domain – then this task is pretty simple. But if you don’t, or maybe you would just rather create a set of self-signed certificates, here is an approach that works well for me. This particular scenario utilizes three separate certificates. The first one is named “localhost” ...
Recently we upgraded to Hyper-V. Everything was working great, until Friday. I had just installed Windows Updates for August, and was going through and restarting our two domain controllers (on separate hosts), one at a time. Which probably shouldn't be done during the day, but I've NEVER had problems with it before. Well, after one restarted, and I logged in, I restarted the second one. Which restarted with any problems, until my Hyper-V host said that the management console couldn't reach the host. ...
Since exchange versions from 2007 and up put more emphasis on the webservices for use in the distribution of the offline address book, out of office, the scheduling assistant and autodiscover (a.k.a outlook connectivity to exchange) the correct configuration of the virtual directories and IIS components is the main key to a healthy exchange environment. It is for this reason that I have compiled a quick reference as to how these components should be configured in order to function properly and so ...
Recently, my Active Directory user account was getting locked out on a regular basis after changing my user account password. In our environment, the most two common causes for Active Directory user account lockouts are disconnected RDP sessions or an invalid password on a mobile device configured for Exchange ActiveSync access. I used the LockoutStatus.exe Tool to search for one or more disconnected RDP sessions using my old password but I was not able to find anything. So, the next thing I checked ...
Welcome to this second instalment of the series! This series of articles is aimed at giving you a hold and a sort of “Best practices” to starting any kind of migrations. Whilst each technology or project has its quirks and traps most of the process you’ll need to go through is, roughly, the same. The second article will describe a so called “test run” or, as I like to call it, practicing with duds... Seeing as running a test system in the ground is not quite as disruptive as destroying an actual ...
Initial troubleshooting As always, one of the first things to check is the event viewer to see if an event was generated detailing the error. Additionally check the %windir%\debug for the adamsetup.log and adamuninstall.log (this last one is only created during the uninstall process). These two logs will tell you where the setup is failing and what should be checked. It also pays to know that setup errors are written to the registry. If you cannot find the following key there was no failure as the ...
Alot of calls I get are related to the information store service of the exchange server not starting. Since troubleshooting why this services does not start is often related to alot of stress (after all, your users and managers will be pounding your door as they cannot access their email) it is always handy to have some reference as to where you can start and what direction it can take. This is my basic modus operandi so feel free to give suggestions on how to improve it :). First of all you need ...
LDAP is not Active Directory, though Active Directory is LDAP. As someone who drinks the Microsoft Kool-Aid, I found myself using LDAP for something other than Active Directory and I thought I should share what I have found. The problem domain was to connect a new MVC application to an existing Sun One LDAP Store. First off, authenticating an MVC application using forms mode authentication and the Membership providers is straight forward. Start with the ASP.NET MVC 2 Web Application Template that ...
Well not really that long ago, this is actually a brand new for me. I just decided today to start blogging about my experiences as an IT professional. Since none of you know me, I am a systems engineer for a NJ based energy company. My main areas of expertise are in Microsoft server technologies specifically Exchange, Active Directory and plane old Windows Server along with vSphere and many more. My job responsibilities entail life-cycle management, developing infrastructure standards and solutions ...
When we started our Exchange 2010 deployment, we ran into an issue with not being able to modify distribution lists. I documented how to fix this issue in a previous post. Not too long ago, we started getting a few reports from users with Exchange 2010 mailboxes that they could not modify their distribution lists and the error message they were getting was the same error message we saw when we started deploying Exchange 2010. When an user attempted to modify a distribution list they owned, they would ...
One of my recent projects involved creating an authentication module compatible with both .Net 3.5 and 4.0 and supporting platforms as early as Windows 2000. In the next few lines, I will highlight our progressive thinking and the various implementations we experimented with along with a summary of shortfalls we found with each. For those reading this post, please feel free to share your thoughts in the comments section as I am looking forward to reading and learning from your ideas and input. Principal ...
I’m trying to setup TFS Lab Management on a new server and I ran into a really weird issue trying to configure it that I figured I’d share the solution to in case anybody else encountered it. This was a brand new machine, I installed Windows Server 2008 R2, all the Windows Updates, joined the machine to the domain, then started running through the Lab Management Install Guide: Configuring Lab Management for the First Time I had a previously created Domain Account called TFSLAB created specifically ...
After we moved one of our user mailboxes from Exchange 2003 to 2010, the user started getting a Cannot get mail. The connection to the server failed error message on their iPhone device. There are a lot of references on Google to check for inherited permissions to resolve the error message. We quickly determined that we were not dealing with a permissions issue. After some additional troubleshooting and research, we were able to isolate the problem to a device partnership issue. To resolve the issue, ...
This time I want to introduce you to two utilities that both have a tail! The first is the BeaverTail ADSI browser at http://adsi.mvps.org/adsi/C... This is a useful utility for doing active directory queries. This is free for both personal and commercial use. The souece code is also available. The second is a windows equivalent to the unit tail command to allow easy reading of flat file logs. This is free for personal use but must be registered for commercial use. Download it ...
When I attempted to configure one of our user’s Meeting settings using the Microsoft Office Communications Server 2007 R2 Administration Tool I received an Validation failed – Validation failed with HRESULT = 0XC3EC7E02 dialog box error message. I received the same error message when I tried to configure the user’s Telephony and Other settings. Using ADSI Edit, I compared the settings of an user that I had no problems configuring and the user that I had problems configuring. For the user I had problems ...
Consider the following: We have an account named MYDOMAIN\eholz. This accounts Active Directory Login Name changes to MYDOMAIN\eburrell Now this user was a active user in a Sharepoint 2010 team Site, and had a userProfile using the Account name MYDOMAIN\eholz. Since the AD LoginName changed to eburrell hence we need to update the Sharepoint User (SPUser object) as well update the userprofile to reflect the new account name. To update the Sharepoint User LoginName we can run the following stsadm command ...
I needed to clean out a bunch of old accounts at Veracity Solutions, and wanted to delete those that hadn’t used their account in more than a year. I found that AD has a property on objects called the lastLogonTimestamp. However, this value isn’t exposed to you in any useful fashion. Sure, you can pull up ADSI Edit and and eventually get to it there, but it’s painful. I spent some time searching, and discovered that there’s not much out there to help, so I thought a blog post showing exactly how ...
Advert alert :-) The UK's only Cloud user group The Cloud is the hot topic. You can’t escape hearing about it everywhere you go. Cloud Evening is the UK’s only cloud-focussed user group. Cloud Evening replaces UKAzureNet, with a new objective to cover all aspects of Cloud Computing, across all platforms, technologies and providers. We want to create a community for developers and architects to come together, learn, share stories and share experiences. Each event we’ll bring you two speakers talking ...
Here’s a quick tip for something that I ran into again this weekend. I was creating service accounts in my development environment’s Active Directory, and one of the names was a little long. My account name was: AccessServicesAppPool . When I went to SharePoint Central Admin and tried to add my new service account, I kept getting an account not found message. I even cut-n-pasted the user name, but that didn’t work. What I failed to notice was that the “pre-Windwos 2000” login was truncated by one ...
In a previous post, I wrote about how to get LDAP authentication working in Collabnet. By default, all LDAP users are put into the Users role on the server. For most purposes, this is just fine, and I don’t have a way to change this. The documentation gives hints that you can add them to other roles, but for now, I don’t have the need. However, adding permissions to different repositories is a different question. To add them, go to the repositories list, select Access Rules and then you can enter ...
We want to use both subversion usernames and passwords as well as Active Directory for our authentication on our Collabnet subversion server. This has proven to be more of a challenge than we thought, mostly because Collabnet’s documentation is weak in this area. To supplement that documentation, I add my own. The first thing to understand is that the attribute that you specify in the LDAP Login Attribute ONLY applies to lookups done for the user. It does NOT apply to the LDAP Bind DN field. Second, ...
Recently for a customer with a rather large exchange environment, we implemented multiple CAS Arrays across various sites in the network. The customer decided that all external access to OWA would come into once Internet entry point and that Array would proxy OWA request to the other CAS Arrays to retrieve the user mailbox. We found out quickly that this does not work straight off. When you create a new CAS array in PowerShell, it repopulates all the local URLs for the web services, autodiscover, ...
I didn’t go to the Microsoft’s PDC Professional Developer’s Conference (PDC) this year because it was, as far as I could tell, a made-for-streaming video event. As such, I watched the keynote about 24 hours after it took place and used my Media Center PC to watch it on my plasma television. And I have to say, the keynote was worthy of the medium. Not only did the Silverlight Smooth Streaming technology deliver a fine HD image, but the content of the keynote itself, merited a big screen, and necessitated ...
I ran into a real head scratcher this week. While migrating a very public folder dependant organization, I couldn’t access public folders through OWA. I had full public folder functionality in the Outlook client, only OWA was affected. The environment was still in a hybrid state with production Exchange 2003 servers in the organization as well as DR servers which were using a third party replication package. The exact error I was getting looked like this: I had already established all 2010 and 2003 ...
Here is a collection of approaches I've pulled together from my archives for telling if MSMQ is installed without being able to physically go and bring up Computer Management to check yourself. Please feel free to let me know if you have developed any of your own tricks to do this. Points 5.12 and 5.13 are from the MSMQ FAQ: 5.12 Is there a programmatic way to know if Message Queuing is installed on a computer? Yes. Try to load Mqrt.dll (using the LoadLibrary API). · For MSMQ 1.0 and 2.0, the DLL ...
For beginners to MSMQ development, the fact that there are FIVE ways of addressing an MSMQ queue is a real pitfall. Many hours will be lost trying to work out why a seemingly perfect address keeps returning errors. From MSDN: Referencing a Queue To perform an operation on a queue, an application must reference the queue in one of five ways, depending on the operation that the application is performing: By path name—used to create the queue, to open the queue for sending, peeking at, and receiving ...
La mensajería es ya una aplicación crítica para cualquier empresa, pero disponer de una solución adecuada no es sencillo. Los requisitos regulatorios cada vez son más complejos. La fusión y diversificación de actividades requiere de un ajuste rápido de la capacidad. Cada vez es necesario tener mayor conocimiento y experiencia en la tecnología y el balance entre el comprar o construir está cambiando. Una solución atractiva a este reto es el Microsoft® Exchange Online, un servicio de mensajería de ...
As you can see, creating users only takes a minute or two, so creating a handful of accounts during a trial is no big deal. But when the time comes to start bringing dozens or hundreds of accounts over, you’re going to want a more automated approach. In the Users / Overview subtab, you’ll find an “Import users from a file” link under Actions. The file in question must be in CSV format. There’s no need to reinvent the wheel here. Simply download Microsoft’s offered .csv file template or file (or both) ...
There's a KB article for MSMQ 4.0: 935498 A Message Queuing 4.0-based server runs in Workgroup mode after you install the Message Queuing Active Directory Domain Services Integration feature This problem may take you by surprise as it's not how previous versions worked. In the past a reinstallation of MSMQ in Active Directory Integrated Mode would go as follows: MSMQ installed first time MSMQ object is created under the computer object in AD MSMQ uninstalled MSMQ object is deleted from AD MSMQ installed ...
A few companies pack huge amounts of useful information into their queue names so that it is very easy to work out what each queue is for. A downside of this is that some Windows applications inconsistently display the queue names. Take the following sample public and private queues I created for test, each 70 characters in length: Performance Monitor can only display 64 characters for the MSMQ queue object which includes the computer name (and "\private$" for private queues) as documented here: ...
On its face, enabling the account lockout policy seems like a good idea. Get the password wrong (n) times and you’re ok, get it wrong (n + 1) times and your account is locked out for a period of time; typically 30 minutes. Sometimes a call to the help desk is required to reset the password if the lockout duration has not been defined. Even if it is defined, most users are not likely aware of the policy and call anyways. Even if they are aware of it, how many users do you know that can afford to sit ...
Security Security is a nonnegotiable requirement for a cloud service offering to be successful. Access control and security for business data is of utmost importance. Business data stored in the cloud needs to be encrypted during not only during storage but also transport. Secure data and network channels across application domains in the cloud should be built right into the cloud service infrastructure. Access control prohibits unauthorized access to the data and applications and provides authorization ...
If you see any Critical Permissions inheritance block on Exchange server object entries listed in the Exchange Pre-Deployment Analyzer report for your Exchange environment, it is highly recommended that you fix these Critical entries before you install your first Exchange 2010 server. If you do not fix these Critical entries, you may encounter the following error messages when you run the Exchange Management Console or run specific Exchange PowerShell commands to view public folder information. Please ...
*Moved to: Active Directory Groups not Syncing with Team Foundation Server 2010For a little while now I had been investigating an odd occurrence in Team Foundation Server. Users added to Active Directory groups have not been filtering back into the Team Foundation Server groups cache. The meant that we had to add users directly to Team Foundation Server in order to give them permission. While this was not ideal, it did not really inconvenience us that much, but we are now trying to streamline our ...
You must prepare your Windows Active Directory before you install your first Exchange 2010 Server in your organization. It is highly recommended that you prepare and test these changes in your lab environment before you touch your production environment. When we prepared our Windows Active Directory production environment, we encountered the following error messages in the ExchangeSetup.log file when we ran the /prepareAD option. Here are a few snippets from the ExchangeSetup.log file for your review. ...
Normal 0 false false false EN-US ZH-CN X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; ...


We are currently deploying Exchange 2010 within a large and complex Windows 2003 Active Directory and Exchange 2003 environment.  Over the next several months, I will be posting articles regarding things we’ve run into or things we’ve learned that will help with your deployments.

In my inital announcement I could only cover a small subset what ApiChange can do for you. Lets look at how ApiChange can help you to fix bugs due to wrong usage of an Api within a fraction of time than it would take normally. It happens that software is tested and some bugs show up. One bug could be …. : We get way too man log messages during our test run. Now you have the task to find the most frequent messages and eliminate the Log calls from the source code. But what about the myriads other log ...
Here are a few one-liners that use NetCmdlets. Some of these I've blogged about before, some are new. Let me know if you have questions, which ones you find useful, or how you altered these to suit your own needs. Send email to a list of recipient addresses: import-csv users.csv | % { send-email -to $_.email -from lance@nsoftware.com -subject "Important Email" –message "Hello World!" -server 10.0.1.1 } Show the access control list for a specific Exchange folder: get-imap -server $mymailserver -cred ...